Bug 239055 - dev-util/mercurial <1.0.2 hgweb "allowpull" file disclosure (CVE-2008-4297)
Bug#: 239055 (CVE-2008-4297) Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: normal Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: rbu@gentoo.org
Component: Vulnerabilities
URL:  http://www.selenic.com/mercurial/wiki/index.cgi/WhatsNew#head-905b8adb3420a77d92617e06590055bd8952e02b
Summary: dev-util/mercurial <1.0.2 hgweb "allowpull" file disclosure (CVE-2008-4297)
Keywords:  
Status Whiteboard: B3 [noglsa]
Opened: 2008-09-29 14:56 0000
Description:   Opened: 2008-09-29 14:56 0000 
CVE-2008-4297 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4297):
  Mercurial before 1.0.2 does not enforce the allowpull permission
  setting for a pull operation from hgweb, which allows remote
  attackers to read arbitrary files from a repository via an "hg pull"
  request.

------- Comment #1 From Robert Buchholz 2008-09-29 15:04:23 0000 ------- 
is 1.0.2 ready for stable?

------- Comment #2 From Robert Buchholz 2008-10-03 15:32:24 0000 ------- 
Arches, please test and mark stable:
=dev-util/mercurial-1.0.2
Target keywords : "alpha amd64 ia64 ppc ppc64 sparc x86"

------- Comment #3 From Tobias Heinlein 2008-10-03 19:31:30 0000 ------- 
1.0.2 has dev-python/pygments as a dependency. Python team, are we allowed to
mark this package stable?

------- Comment #4 From Jesus Rivero 2008-10-04 14:02:44 0000 ------- 
Hello, 

   I have filed a stablereq on dev-python/pygments-0.10 and added it as a dep
for this bug. 


Best regards,

------- Comment #5 From Tobias Heinlein 2008-10-04 15:37:49 0000 ------- 
Thanks!

amd64 stable

------- Comment #6 From Brent Baude 2008-10-04 16:20:06 0000 ------- 
Created an attachment (id=167180) [details]
ppc and ppc64 test failures

------- Comment #7 From Brent Baude 2008-10-04 16:20:47 0000 ------- 
Anyone else seeing test failures like this?  Same for me on both ppc and ppc64

------- Comment #8 From Robert Buchholz 2008-10-04 16:58:21 0000 ------- 
Created an attachment (id=167191) [details]
mercurial-1.0.2.ebuild

Brent, it seems these are the failures from bug 231280 and introduced by
1.0.1-r3. Does it work with this ebuild?

------- Comment #9 From Markus Meier 2008-10-04 17:27:23 0000 ------- 
(In reply to comment #8)
> Created an attachment (id=167191) [edit] [details]
> mercurial-1.0.2.ebuild
> 
> Brent, it seems these are the failures from bug 231280 and introduced by
> 1.0.1-r3. Does it work with this ebuild?

looks good on amd64/x86, no more test failures.

------- Comment #10 From Robert Buchholz 2008-10-04 17:47:52 0000 ------- 
updated the ebuild then, I left the keywords (and lack thereof) intact.

------- Comment #11 From Brent Baude 2008-10-04 18:22:37 0000 ------- 
ppc and ppc64 stable on -1.0.2 now.  all tests passed fine.

------- Comment #12 From Ferris McCormick 2008-10-04 20:01:39 0000 ------- 
Sparc stable.  All tests fine, although one is skipped:

Skipped test-no-symlinks: system supports symbolic links

The comment is correct, so I suppose that this is expected.

------- Comment #13 From Raúl Porcel 2008-10-05 10:45:55 0000 ------- 
alpha/ia64/x86 stable

------- Comment #14 From Pierre-Yves Rofes 2008-10-09 21:48:45 0000 ------- 
time for GLSA decision. I'd go for a NO here since the impact is rather low
IMHO.

------- Comment #15 From Robert Buchholz 2008-10-09 22:23:24 0000 ------- 
NO, impact is limited to secret files in repository. Seriously, who puts them
in a public repo anyway? :-)